Skip to main content

Integrating with SentinelOne – Full Guide

Learn how to integrate SentinelOne with Hyver, sync threat data, and manage findings in one place.

Updated over 3 months ago

1. Introduction

SentinelOne provides intelligent, data-driven cybersecurity across the enterprise, designed to meet evolving threats. Its Singularity XDR platform uses machine learning and advanced analytics to defend against malware, ransomware, and advanced persistent threats (APTs).

SentinelOne Insights - Techzine Global

By integrating SentinelOne with Hyver, findings and threat data from SentinelOne are automatically ingested and displayed on the Findings page in Hyver. This allows you to view, manage, and prioritize these findings within the broader context of your organization’s cyber risk.

2. Prerequisites

Before setting up the integration, make sure you have:

  • The SentinelOne server URL

  • A valid SentinelOne API token

  • Access to the SentinelOne console with admin permissions to create the token

  • Access to vulnerability data and threat data from the SentinelOne EDR

  • Hyver administrator permissions, required to add the integration

How the Integration Works

The SentinelOne integration follows the same flow as most Hyver integrations. It consists of two main parts:

  1. Creating the API credentials in SentinelOne.

  2. Entering those credentials into Hyver.

Required IP Addresses

For the integration to work smoothly, you may need to allow traffic from Hyver’s servers in your firewall or network configuration. This ensures that Hyver can securely connect to your environment and perform scans without being blocked.

Depending on your region and the type of scan, add the following IP addresses:

  • General IPs:

    • Europe18.198.79.197

    • America52.1.10.176, 35.171.70.87

  • IPs for Azure and AWS Scans:

    • Europe18.158.77.90

    • America34.206.252.13

In most cases, you only need to add the IPs relevant to your region and use case.

Multi-Company Dashboard and Integrations

This section explains how Hyver’s Multi-Company Dashboard works in general, and how integrations behave when used in a Multi-Company setup.

What is the Multi-Company Dashboard?

Hyver’s Multi-Company Dashboard is designed for large enterprises with multiple subsidiaries. It gives you:

  • A centralized view of cybersecurity risk across the entire organization

  • Key metrics like exposure, cost of breach, and maturity scores

  • The ability to switch between subsidiaries and view their individual data

  • Parent admins and power users can view aggregated and subsidiary-level risk, while detailed findings remain visible only to members of the specific subsidiary

  • Data that updates in real time

To enable Multi-Company, contact your CYE Technical Account Manager.

How Integrations Work in Multi-Company

Here’s the important part:

  • Integrations are created only at the subsidiary level

  • Findings from an integration appear only in that subsidiary’s dashboards and reports

  • Parent companies cannot create integrations — they can only view the aggregated results

Best Practices for Combining Integrations with Multi-Company

To get the most out of Multi-Company with integrations, we recommend:

  • Each subsidiary should create its own integration, using credentials that only grant access to data relevant to that subsidiary

  • In some cases, it’s useful to also have a dedicated “General” company, which holds findings that apply to the entire enterprise and cannot be tied to a single subsidiary

  • The parent company then combines these insights and metrics from all subsidiaries and the General company — but remember, integrations cannot be connected directly to the parent company.

3. Configuring on the SentinelOne Side

Create an API Token in SentinelOne 

  1. Log in to your SentinelOne management console.

    • You must be an administrator to complete this step.

  2. From the left-hand navigation menu, go to:
    Settings → Users → Service Users → Actions → Create a New User

  3. Enter a name of your choice. This will serve as the Hyver username in SentinelOne.

    • Description is optional.

    • Expiration Date is required. Choose the maximum value (two years). SentinelOne will display a warning against using more than one month, but for this integration, a long-lived token is necessary:

  4. Click Next.

Assign Permissions

  1. Under Site, select the relevant account and check the Default Site box.

    • SentinelOne accounts can contain multiple sites. Make sure you select the correct one:

  2. In the Permissions section, assign the Viewer role:

  3. Click Create User.

    • This generates the API token for the selected site.

    • Copy the token — you will need to paste it later in Hyver.

Copy the Console Domain

Hyver also requires the Console Domain from SentinelOne:

  • Copy the URL from your browser’s address bar while in the SentinelOne console:

  • Use the domain portion of the URL (as marked in the example provided by SentinelOne).

  • This value will be entered into the second required field in Hyver.

4. Configuring in Hyver

Now that you have the required details from SentinelOne, the next step is to configure the integration in Hyver.

  1. In Hyver, click the gear icon (upper right) to open the Settings page.

  2. From the left-hand tabs, select Integrations and Workflows.

  3. Scroll down to the SentinelOne card and click Add.

A setup page opens where you need to provide the details created in SentinelOne. Two fields are required:

  • SentinelOne Token – Paste the API token you created in Step 1.1.

  • SentinelOne Management Console Full Domain – Enter the console domain copied in Step 1.2.

    • Make sure to enter it without the http:// or https:// prefix.

You can also enter a name for the integration to help identify it later.

Verify and Save

  1. Click Verify Connection.

    • If the connection is successful, you will see a green confirmation message.

  2. Click Save to complete the setup.

If the connection fails:

  • Double-check your network connectivity.

  • Confirm that you copied the token and console domain correctly.

  • If needed, generate a new token in SentinelOne and try again.

If you still experience issues, contact our support team at [email protected], or use the support chat bot by clicking the round icon at the bottom of the Hyver screen.

Once the connection is verified and saved, the integration is complete.

Note that Data is ingested from SentinelOne every 24 hours.

5. Viewing Results

Integration Added as a Technology Asset

When the integration with SentinelOne is completed successfully, Hyver automatically generates a new technology asset with the following details:

  • Asset type: Vulnerability Management and EDR

  • Technology name: SentinelOne

  • Engagement: Integration with external tools

This technology asset is also automatically mapped to the NIST Cybersecurity Framework (CSF).

In Hyver, technologies are treated as assets. They represent security tools that support specific NIST subcategories, contribute to your organization’s overall security maturity, and are factored into the maturity level calculation.

Viewing SentinelOne Findings

To focus specifically on SentinelOne data:

  1. Go to the Findings page in Hyver.

  2. Use the Sources filter to select SentinelOne.

This allows you to narrow down the findings and view only those ingested from SentinelOne, or combine them with other sources as needed:

Collected Endpoints

Collected endpoints are the data points Hyver retrieves directly from SentinelOne. They represent the findings, assets, and threat information that Hyver uses to enrich its risk analysis and maturity assessments.

For the SentinelOne integration, Hyver collects the following endpoints:

  • Vulnerability Management

    • Applications installed on company endpoints – An inventory of software installed across your organization’s devices.

    • CVEs found in applications – Known security vulnerabilities (Common Vulnerabilities and Exposures) identified in the installed applications.

  • EDR (Endpoint Detection and Response)

    • Threats detected by SentinelOne EDR – Alerts and findings from SentinelOne’s detection engine, covering malware, ransomware, and other advanced threats.

In simple terms, these collected endpoints give Hyver visibility into both the software vulnerabilities present on your endpoints and the active threats detected by SentinelOne. This combination allows Hyver to factor both potential weaknesses and real-world attack activity into its risk quantification.

6. Types of Fetched Entities

Findings and Threat Data

Hyver ingests findings and threat data from SentinelOne every 24 hours. This ensures that the information you see in Hyver is regularly updated and aligned with your SentinelOne environment.

Wrap-up

In this article, we walked through the full process of integrating SentinelOne with Hyver. You learned how to create and configure an API token in SentinelOne, set up the integration in Hyver, and verify the connection. We also reviewed how SentinelOne appears in Hyver as a technology asset, and how findings and threat data are ingested and displayed every 24 hours. With this integration in place, you can view, filter, and manage SentinelOne findings directly within Hyver’s risk and maturity framework.

Related Articles
Integrating with WIZ – Full Guide
Integrating with Rapid7 InsightVM – Full Guide
Integrating with Crowdstrike Falcon – Full Guide
Integrating with Defender For Endpoint – Full Guide
Integrating with AWS – Full Guide
Did this answer your question?